Technical Field
This disclosure relates generally to the field of digital resource access, and more particularly to assessing security exposures in cloud-based computing environments.
Background of the Related Art
Identity and Access Management Governance is a set of processes and policies for organizations to manage risks and maintain compliance with regulations and policies by administering, securing, and monitoring identities and their access to applications, information, and systems. Although potentially complex in implementation, the concept of Identity and Access Management (IAM) Governance is fairly straightforward: determine who should have access to what resources and who should not, according to government regulations, industry-specific regulations (SOX, HIPPA, GLBA, etc.), and business regulations and guidelines. Typically, key aspects of IAM Governance include access request governance, entitlement certifications, reports and audits, and analytics and intelligence (including role management, entitlement management, separation of duties enforcement, and privileged identity management). An end-to-end IAM Governance solution may also provide related functions, such as access enforcement, user provisioning, password management, and user lifecycle management.
Identity and access management (IAM) systems protect enterprise data and applications with context-based access control, security policy enforcement and business-driven identity governance. These systems may be operated in a standalone manner, in association with cloud-based environments, or in hybrid environments.
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. When multiple parties share resources within a cloud computing and other such shared deployment model, a compelling transformation and reduction in their IT costs (from fixed to variable) can be achieved. Using this approach, companies can extend computing and storage capacity elastically to match demand, shift operational and capital costs to an external data center, free IT staff to focus on new projects, and more. Cloud compute resources are typically housed in large server farms that run networked applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility.
Many cloud applications, such as Salesforce.com, Office 365, and others, provide a way for administrators to allow other applications to access and manage the subject cloud application. An application of this type that has been granted access to a cloud application is known as a “connected application.” Typically, the administrator can specify details about the access the connected application should be given, such as access to read but not update data, or perhaps access to create new users in the cloud application. If the administrator is not careful, however, he or she may accidentally give the connected application more access than he intends. Additionally, at some point there may no longer be a valid business reason to continue to allow the connected application access to the cloud application. If an administrator does not take explicit action to terminate the other application's access, it will continue to have access that the administrator no longer intends, possibly exposing the cloud application to security risks (e.g., unintended exposed data, or unintended continued management).
Because these types of “connected applications” are not typically represented as accounts in the cloud application, normal security controls often overlook them. For example, reports related to privileges and dormancy often include only accounts, but not connected applications. Additionally, third party security products often focus on accounts to the exclusion of connected applications.
There remains a need to provide IAM systems with a way to assess security risks that are normally applied to accounts to connected applications.